Hide Forgot
Description of problem: Start container with label=role:object_r on rhel7.2, container failed with panic error. Version-Release number of selected component (if applicable): os version: rhel7.2 [root@ip-172-18-6-200 ~]# rpm -qa|grep docker docker-common-1.12.3-8.el7.x86_64 docker-1.12.3-8.el7.x86_64 docker-rhel-push-plugin-1.12.3-8.el7.x86_64 [root@ip-172-18-6-200 ~]# [root@ip-172-18-6-200 ~]# rpm -qa|grep selinux libselinux-utils-2.5-6.el7.x86_64 selinux-policy-targeted-3.13.1-102.el7_3.4.noarch libselinux-devel-2.5-6.el7.x86_64 libselinux-2.5-6.el7.x86_64 selinux-policy-3.13.1-102.el7_3.4.noarch libselinux-python-2.5-6.el7.x86_64 container-selinux-1.12.3-8.el7.x86_64 How reproducible: Always Steps to Reproduce: 1. [root@ip-172-18-6-200 ~]# docker run -it --security-opt label=role:object_r --entrypoint=/bin/bash docker.io/ocpqe/hello-pod:latest panic: standard_init_linux.go:175: exec user process caused "permission denied" [recovered] panic: standard_init_linux.go:175: exec user process caused "permission denied" goroutine 1 [running, locked to thread]: panic(0x7ec7c0, 0xc820134bd0) /usr/lib/golang/src/runtime/panic.go:481 +0x3e6 github.com/urfave/cli.HandleAction.func1(0xc8201092e8) /builddir/build/BUILD/docker-0e5a8b1aca91821971e556fef2fb0e50fcca5470/runc-aa860715c2e8ff4ab736a0168907ea975bf28f0e/Godeps/_workspace/src/github.com/urfave/cli/app.go:478 +0x38e panic(0x7ec7c0, 0xc820134bd0) /usr/lib/golang/src/runtime/panic.go:443 +0x4e9 github.com/opencontainers/runc/libcontainer.(*LinuxFactory).StartInitialization.func1(0xc820108bf8, 0xc82001a0a8, 0xc820108d08) /builddir/build/BUILD/docker-0e5a8b1aca91821971e556fef2fb0e50fcca5470/runc-aa860715c2e8ff4ab736a0168907ea975bf28f0e/Godeps/_workspace/src/github.com/opencontainers/runc/libcontainer/factory_linux.go:259 +0x136 github.com/opencontainers/runc/libcontainer.(*LinuxFactory).StartInitialization(0xc820058820, 0x7f8ba15c4548, 0xc820134bd0) /builddir/build/BUILD/docker-0e5a8b1aca91821971e556fef2fb0e50fcca5470/runc-aa860715c2e8ff4ab736a0168907ea975bf28f0e/Godeps/_workspace/src/github.com/opencontainers/runc/libcontainer/factory_linux.go:277 +0x5b1 main.glob.func8(0xc820076780, 0x0, 0x0) /builddir/build/BUILD/docker-0e5a8b1aca91821971e556fef2fb0e50fcca5470/runc-aa860715c2e8ff4ab736a0168907ea975bf28f0e/main_unix.go:26 +0x68 reflect.Value.call(0x750ee0, 0x902d00, 0x13, 0x848d08, 0x4, 0xc820109268, 0x1, 0x1, 0x0, 0x0, ...) /usr/lib/golang/src/reflect/value.go:435 +0x120d reflect.Value.Call(0x750ee0, 0x902d00, 0x13, 0xc820109268, 0x1, 0x1, 0x0, 0x0, 0x0) /usr/lib/golang/src/reflect/value.go:303 +0xb1 github.com/urfave/cli.HandleAction(0x750ee0, 0x902d00, 0xc820076780, 0x0, 0x0) /builddir/build/BUILD/docker-0e5a8b1aca91821971e556fef2fb0e50fcca5470/runc-aa860715c2e8ff4ab736a0168907ea975bf28f0e/Godeps/_workspace/src/github.com/urfave/cli/app.go:487 +0x2ee github.com/urfave/cli.Command.Run(0x84bbb0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8e1d40, 0x51, 0x0, ...) /builddir/build/BUILD/docker-0e5a8b1aca91821971e556fef2fb0e50fcca5470/runc-aa860715c2e8ff4ab736a0168907ea975bf28f0e/Godeps/_workspace/src/github.com/urfave/cli/command.go:191 +0xfec github.com/urfave/cli.(*App).Run(0xc820001680, 0xc82000a100, 0x2, 0x2, 0x0, 0x0) /builddir/build/BUILD/docker-0e5a8b1aca91821971e556fef2fb0e50fcca5470/runc-aa860715c2e8ff4ab736a0168907ea975bf28f0e/Godeps/_workspace/src/github.com/urfave/cli/app.go:240 +0xaa4 main.main() /builddir/build/BUILD/docker-0e5a8b1aca91821971e556fef2fb0e50fcca5470/runc-aa860715c2e8ff4ab736a0168907ea975bf28f0e/main.go:137 +0xe24 Actual results: Expected results: Additional info:
object_r is not a valid role, but we should ont panic.
object_r is only used as a place holder for file contexts. seinfo -r Roles: 14 auditadm_r dbadm_r guest_r staff_r user_r logadm_r object_r secadm_r sysadm_r system_r webadm_r xguest_r nx_server_r unconfined_r All other roles can be used for processes. But the combination of a SELinux user, role, type, level all have to be valid. Most of the time system services run with the system_r roles. Most other roles are used for user roles. Basically a logged in user role.
You caused me to write a blog. http://danwalsh.livejournal.com/75683.html
This looks like runc gets an error and crashes.
What validation should we do? object_r is also included in the output of seinfo -r.
(In reply to Daniel Walsh from comment #5) > You caused me to write a blog. > > http://danwalsh.livejournal.com/75683.html Thanks for your blog.
Mrunal I don't think we should do any Valdation, the call got a permission denied, but runc needs to handle this cleanly not crash. You can probably get the same thing by passing in invalid types, levels, and SELinux Users.
Since the panic is coming from golang, is this worth using recover() to catch the panic?
panic is generated from golang standard library.